Exploring Syscall Evasion – Linux Shell Built-ins

The article by Jason Andress explores syscall evasion techniques on Linux systems, specifically focusing on the use of bash shell builtins to bypass security monitoring tools that primarily track process execution through the execve() syscall. It highlights how traditional security tools, which rely on monitoring execve() for process execution, may miss activities conducted through bash builtins like read and echo, which can replicate the functionality of external commands without triggering these syscalls. The text emphasizes the complexity and variety of syscalls, illustrating how they can be manipulated to evade detection by using alternative syscalls such as openat() to track file access. Additionally, the article suggests that relying solely on process execution monitoring is insufficient for comprehensive security, advocating for a more nuanced monitoring approach that considers the wide array of syscalls and system interactions. The article is the first in a series that will further explore syscall evasion techniques, with a nod to the potential for similar techniques on Windows systems and the utility of tools like strace for syscall examination.